HIPAA data breaches climb 138 percent

February 6, 2014

When talking HIPAA privacy and security, the numbers do most of the talking.

Take 29.3 million, for instance, the number of patient health records compromised in a HIPAA data breach since 2009, or 138 percent, the percent jump in the number of health records breached just from 2012.

These numbers, compiled in a February 2014 breach report by healthcare IT security firm Redspin, though, don't tell the whole story, as these are numbers reported to the U.S. Department of Health and Human Services by HIPAA covered entities.

Many healthcare breaches still go unreported, industry officials point out, and many breach offenders don't make the list of shame. Moreover, breaches involving the health records of fewer than 500 individuals are not required to be publicly reported, which also skews the final numbers.

Lisa Gallagher, senior director of privacy and security for HIMSS, said speaking at the 2012 Boston Privacy and Security Forum, that somewhere between 40 million to 45 million patient records have actually been compromised. The number can't be confirmed, as the data isn't all there, she adds, but it's a more accurate number based on healthcare organizations' reporting.

Moreover, out of the 90,000 complaints HHS' Office for Civil Rights received in 2013, some 5,447 went unresolved. Although the office boasts a 94 percent success rate for resolving cases, some 53,000 of those cases may have been closed because either OCR lacked jurisdiction, or the complaint was untimely or withdrawn, not because a HIPAA violation did not occur.

Theft accounted for 83 percent of all large HIPAA privacy and security breaches, according to Redspin, which calculated its numbers using HHS data. Some 22 percent of breaches since 2009 were due to unauthorized access, and theft or loss of encrypted devices or computers accounted for 35 percent of all breaches; hacking accounted for 6 percent.

Many of these breaches, officials say, can be easily avoided through regular risk analysis and updating company policies. "By combining device scanning with an understanding of workflow, policies, and procedures, you get a more complete picture of what is actually happening in your environment, Redspin officials wrote in the report. "From there you can implement a remediation plan that significantly lowers your risk of breach."

Redspin officials also noted that from 2009 through 2012, business associates were involved in the majority of large-scale breaches. However, in 2013, BAs were only involved in 10 percent of breaches.

Under the new HIPAA Final Omnibus Rule, covered entities and business associates responsible for violating HIPAA privacy and security rules by failing to safeguard patient protected health information could face a potential up to $1.5 million in annual fines.

Out of the more than 90,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.

When speaking with Healthcare IT News on the new HIPAA rules back in August, HHS' Office for Civil Rights Director Leon Rodriguez said those numbers are expected to go up, especially when the official audit program goes live this year.

"I think all these (17) cases really powerfully articulate those expectations and the fact that we will be holding people accountable," Rodriguez said.

When asked where HIPAA-covered entities most often make their biggest misstep, Rodriguez pointed to risk analysis inadequacies, for business associates and covered entities alike. It’s the "failure to perform a comprehensive, thorough risk analysis and then to apply the results of that analysis," he said.

Based on the complaints OCR has received, risk analysis failures top the list for the biggest security issues.

View a quick summary of the results of a healthcare mobility survey about top priorities, investments and mobility strategies being implemented by healthcare providers. See how organizations are implementing changes to address:
Cost reductions, while improving access to care.
Reform mandates and financial penalties.
Aging populations and chronic diseases Learn More

In recent years, there has been a great deal of discussion about how to engage patients in their care. Patient engagement has always been considered a good thing in practices and health care organizations. Today it is vital to the business of delivering care. Learn More

The 2014 State of Value-Based Reimbursement is a national opinion research study of 464 payers and providers, conducted by ORC International, and commissioned by McKesson Health Solutions. The study clearly documents a transition from a volume-based model of reimbursement to models based on measures of value. Both payers and providers project that value-based reimbursement will overtake fee for service by the year 2020. But the study also reveals significant challenges, particularly in technology and physician buy-in, to fully implementing these models. Learn More

Where and how they store their data is of particular interest to healthcare organizations these days — especially given the tremendous growth and interest in Big Data and data analytics. View this infographic for a look into how healthcare is growing in the cloud. Learn More

When Adventist Health wanted a mobility solution to keep their workforce connected and productive while on the go, they turned to the experts at PC Connection, Inc. for help selecting and deploying a new mobile platform. Learn More

The dangers of data breach make for great headlines: data held for ransom, financial fraud, medical identity theft. But despite the risks of a breach, the most immediate threat in most security incidents is failure to comply with regulatory requirements. More

Ponemon's recently published 2015 Study on Privacy & Data Security of Healthcare Data makes one point crystal clear: healthcare organizations must do more to protect sensitive patient information from the wide variety of data breach threats. More

As we envision the next generation of electronic tools, support for team-based care with handoff management and closed-loop communication among the stakeholders will be the most important new features. More